Install the HSM vendor's PKCS#11 shared library on the server and verify it loads correctly with the HSM vendor's test utilities
Initialize a slot/token on the HSM, set the SO (security officer) PIN and user PIN following the vendor's hardening guide; store PINs in a secrets manager, never in source code
Generate or import a key pair on the HSM using the PKCS#11 C_GenerateKeyPair mechanism (e.g., CKM_RSA_PKCS_KEY_PAIR_GEN or CKM_EC_KEY_PAIR_GEN); the private key is marked CKA_SENSITIVE and CKA_EXTRACTABLE=false so it never leaves the HSM
In your application, load the PKCS#11 library via the language-specific binding (e.g., PyKCS11, pkcs11 for Go, or SunPKCS11 for Java), open a session, log in with the user PIN, and locate the private key object by its label or CKA_ID
Sign digests by calling C_Sign with the appropriate mechanism (e.g., CKM_RSA_PKCS or CKM_ECDSA); pass the digest, not raw data, unless the mechanism includes hashing
Close sessions promptly after use and implement session pooling carefully; HSMs have limited concurrent session capacity
Known gotchas
HSM slots and token state are persistent; incorrect PIN entries can lock the token, requiring SO intervention or re-initialization — implement PIN retry limits in application logic
PKCS#11 mechanisms vary by HSM vendor; a mechanism supported on one HSM may not be available on another, making portability non-trivial
CKA_SENSITIVE prevents key export in plaintext but some HSMs support encrypted key wrapping for backup; ensure backup procedures are tested and the backup key is also HSM-protected
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp